1
Building a Cybersecurity Strategy in a
Hospital
Session #154, February 13, 2019
Susan D. Villaquiral, CISO, Fundación Valle del Lili
2
Susan D. Villaquiral,
Has no real or apparent conflicts of interest to report.
Conflict of Interest
3
Who is Fundación Valle del Lili
Definition of Cybersecurity
Building a Cybersecurity Strategy
Choosing HITRUST CSF
HITRUST CSF and NIST CSF
Organization Profile
People, Process and Technology
Tactics as part of the strategy
Conclusions
Questions
Agenda
4
Identify the main components during the implementation of a
Cybersecurity strategy in a hospital
Design a working plan for the implementation of a Cybersecurity
strategy in a hospital
Discuss the differences between the NIST Cybersecurity
Framework and the HITRUST CSF
Share the experience of a hospital in the process of implement a
Cybersecurity strategy
Classify the processes, people and technology that apply for each
category of the Cybersecurity Framework
Learning Objectives
5
Fundación Valle del Lili
6
Cybersecurity is the protection of internet-connected systems,
including hardware, software and data, from cyberattacks.
Elements of cybersecurity:
- Application security
- Information security
- Network security
- Disaster recover / business continuity planning
- Operational security
- End-user education
What is Cybersecurity?
https://searchsecurity.techtarget.com/definition/cybersecurity?src=5822709&asrc=EM_ERU_103766138&utm_content=eru-rd2-
rcpB&utm_medium=EM&utm_source=ERU&utm_campaign=20181120_ERU%20Transmission%20for%2011/20/2018%20(UserUniverse
:%20455413)
7
How to build a Cybersecurity Strategy?
NGFW
IAM
Risk
NIST
DDoS
Data
Breach
Data
Governance
NotPetya
PHI
IPS
HITRUST
WannaCry
GDPR
HIPAA
IT
Governance
Blockchain
AI
Cybersecurity
Strategy
Cybersecurit
y Strategy
Cybersecurit
y Strategy
8
Building a Cybersecurity Strategy
Cybersecurity Framework
9
It is specific for healthcare
organizations
It has a cross reference with
frameworks and laws like NIST
CSF, ISO 27001, JCI, HIPAA,
COBIT, GDPR
The levels of implementation are
according to features like
number of beds and number of
physicians
Has a cross reference with JCI
that is a short-term goal for the
hospital
Choosing HITRUST CSF
NIST
Meaningful
Use
ISO 27001/2
COBIT
FTC
Red
Flags
Texas Health
& Safety
Code
PCI
HIPAA
Omnibus Final
Rule
HITRUST CSF
“Healthcare Sector Cybersecurity Framework Implementation Guide” https://www.us-
cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf
10
Adoption of CSF
“2018 HIMSS Cybersecurity Surveyhttps://www.himss.org/2018-himss-cybersecurity-survey
Detect
NIST CSF Category /
HITRUST Control Category
Recover
Identify
Protect
Respond
Asset Management
Business Enviroment
Risk Assessment
Risk Management Strategy
Supply Chain Risk
Management
Identity Management and
Access Control
Awareness and Training
Data Security
Information Protection
Processes and Procedures
Maintenance
Protective Technology
Anomalies and Events
Security Continuos
Monitoring
Detection Processes
Response Planning
Communications
Analysis
Mitigation
Improvements
Recovery Planning
Improvements
Communications
NIST CSF Category /
HITRUST Control Category
0.0 Information Security Management Program
01.0
Access Control
02.0
Human Resources Security
03.0
Risk Management
04.0
Security Policy
05.0
Organization of Information Security
06.0
Compliance
07.0
Asset Management
08.0
Physical and Enviromental Security
09.0
Communications and Operations Management
10.0
Information Systems Acquistion, Development and Maintenance
11.0
Information Security Incident Management
12.0
Business Continuity Management
13.0
Privacy Practices
NIST CSF and HITRUST CSF
12
Building a Cybersecurity Strategy
Cybersecurity Framework
Organization Profile
13
Who is your Organization?
Mission, Vision and Strategy
Organizational culture and employees
Regulatory requirements
Main stakeholders
Environment
Financial strategy
Main constraints
IT Budget
Patient Safety as a main concern
Baldrige Excellence Framework for Healthcare could be a good
guide to perform this assessment
Organization Profile
About the Baldrige Excellence Framework (Health Care)” https://www.nist.gov/baldrige/about-baldrige-excellence-framework-health-
care
14
“Suited” Cybersecurity Framework
Organizational Factors Level 1 Level 2 Level 3
Beds
Applicable to all
organizations
Between 200 and 750 Beds
Greater than 750 Beds
Health Plan/Insurance/PBM
Between 1 million to 7.5 Million
Lives
Greater than 7.5 Million Lives
HIE Transactions
Between 1 and 6 Million
Transactions
More than 6 Million Transactions
Hospital Admissions
Between 7.5k and 20k Patients
More than 20k Patients
IT Service Provider
Between 15 and 60 Terabytes(TB)
More than 60 Terabytes(TB)
Non
-IT Service Provider
Between 25 and 100
Megabytes(MB)
More than 100 Megabytes(MB)
Pharmacy Companies
Between 10 million to 60 million
Prescriptions
Greater than 60 million
Prescriptions
Physician Count
Between 11 and 25 Physicians
Greater than 25 Physicians
Physician Encounters
Between 60k to 180k Encounters
Greater than 180k Encounters
Record Count Annual
Between 180k and 725k Records
More than 725k Records
Record Total
Between 10 and 60 Million Records
More than 60 Million Records
Geographic scope
Multi
-State
Off
-shore (outside U.S.)
15
Process, People and Technology
Function Category People Process Technology
Asset Management Applies Applies Applies
Business Environment Applies Applies
Governance Applies Applies
Risk Assessment Applies Applies Applies
Risk Management Strategy Applies Applies
Supply Chain Risk Management Applies Applies
Identity Management and Access Control Applies Applies Applies
Awareness and Training Applies Applies
Data Security Applies Applies Applies
Information Protection Processes and Procedures Applies Applies Applies
Maintenance Applies Applies Applies
Protective Technology Applies Applies Applies
Anomalies and Events Applies Applies Applies
Security Continuous Monitoring Applies Applies Applies
Detection Processes Applies Applies
Response Planning Applies Applies
Communications Applies Applies
Analysis Applies Applies Applies
Mitigation Applies Applies Applies
Improvements Applies Applies
Recovery Planning Applies Applies
Improvements Applies Applies
Communications Applies Applies
Recover
Identify
Protect
Detect
Respond
16
Building a Cybersecurity Strategy
Cybersecurity Framework
Organization Profile Risk
17
Conduct a Risk Assessment based on your organizations profile
can show:
Inside threats
Outside threats
Risks aligned with the strategy of the organization like:
- Patient Safety
- Electronic Health Record availability, privacy and
integrity
The HITRUST Threat Catalogue could be a good source of risks
to be considered during the assessment
The result should be a GAP Analysis that is going to be one of
the inputs in the strategy construction
Risk Assessment
18
Building a Cybersecurity Strategy
Cybersecurity Framework
Organization Profile Risk
Endpoint
Protection
CISO’s
Team
Asset
Management
Architecture
Protection
E-mail
Protection
Identity
& Access
Management
Access Control
Incident
Response
Policies
Awareness
19
CISO’s Team
Carnegie Mellon University “Structuring the Chief Information Security Officer Organization”
CISO
Protect, Defend,
Prevent
Monitor, Hunt,
Detect
Respond, Recover,
Sustain
Govern, Manage,
Educate
20
CISO’s Team
CISO
Security
Security
Engineering
Identity and
Access
Management
Applications
Security
Host and
Network
Security
Information
Asset Security
Access
Control
SOC
Incident
Management
Program
Management
Governance,
Risk and
Compliance
Carnegie Mellon University “Structuring the Chief Information Security Officer Organization”
21
Build an updated inventory including medical devices
Use tools with agents to keep an updated remote inventory of the
asset
Make sure to create or to participate in a committee to evaluate
new incoming technology
ISO 55001:2014 Asset management
AdHopHTA European Project on Hospital Based Health
Technology Assessment
Asset Management
AdHopHTA – European Project on Hospital Based Health Technology Assessment”
http://www.adhophta.eu/sites/files/adhophta/media/adhophta_handbook_website.pdf
22
Asset Management
Requirements
Definition
Asset
Planning
Asset
Acquisition
Operations
and
Maintenance
Asset
Monitoring
Renewal
Disposal
23
“Architecture” Protection
EHR Servers
Internet
24
First line of defense between the end user and your devices
An Antivirus based on signatures is not enough for todays threats
It will help you to keep your inventory updated
Time retrospective and a sandbox are useful to find the patient
zero
Endpoint Protection
25
E-mail Protection
“2018 HIMSS Cybersecurity Surveyhttps://www.himss.org/2018-himss-cybersecurity-survey
26
Identity and Access Management
05
06
07
01
02
03
04
Provisioning
Authentication
Authorization
Self-service
Password
Management
Compliance
Deprovisioning
27
Access Control
Who
(Identity)
When
(Schedule)
Where
(Local or remote)
What
(Resource)
28
The incident response team is conformed at the time of the event
and the roles, responsibilities and tools are well defined in a
procedure
The end user should also be trained in order to know what he/she
needs to do in case of a cybersecurity incident
Incident Response
Preparation
Containment
Eradication
and Recovery
Detection and
Analysis
Post-Incident
Activity
29
Development and maintenance of policies and procedures are a
main component
Policies are defined in the Security and Privacy Committee that is
a part of the IT Governance Strategy
Policies
IT Governance
Committee
(C-suite)
Security and
Privacy
Committee
30
Build an cybersecurity education program for all the employees of
the organization
Main stakeholders:
Physicians
Nurses
Administrative staff
3-Party vendors
C-suite
Awareness: Cultural Change
Non-existent
Compliance Focused
Promoting Awareness
and Change
Long-Term
Sustainment and
Cultural Change
Metrics
31
Building a Cybersecurity Strategy
Cybersecurity Framework
Organization Profile Risk
Endpoint
Protection
CISO’s
Team
Asset
Management
Architecture
Protection
E-mail
Protection
Identity
& Access
Management
Access Control
Incident
Response
Policies
Awareness
Cybersecurity Strategy
32
Which should be the goal?
CISO
Product Backlog
- Compliance
- Risks
- Organization changes
- Requirements
- Threats
Sprint Backlog Sprint
Result
33
Susan Villaquiral
E-mail: Susan.Villaquiral@fvl.org.co
Twitter: @sdv_87
Remember to complete the online session evaluation
Questions
¡Gracias!